CVE-2026-27625
Path Traversal in Stirling-PDF Allows Arbitrary File Write
Publication date: 2026-03-20
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stirling | stirling_pdf | to 2.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27625 is a path traversal vulnerability in the Stirling-PDF web application, specifically in the /api/v1/convert/markdown/pdf endpoint. This endpoint extracts user-supplied ZIP files without validating the paths of the ZIP entries.
Because of this lack of validation, an authenticated user can craft a malicious ZIP file containing entries with directory traversal sequences (like ../../) that allow writing files outside the intended temporary working directory.
This arbitrary file write occurs with the privileges of the Stirling-PDF process user (stirlingpdfuser), enabling overwriting of writable files and compromising data integrity.
How can this vulnerability impact me? :
An authenticated attacker can exploit this vulnerability to overwrite arbitrary files on the system with the permissions of the Stirling-PDF process user.
This can lead to compromise of data integrity by modifying or replacing files unexpectedly.
Depending on which writable paths are accessible, the attacker could cause further system impact, potentially affecting availability and integrity of the system.
The vulnerability has a high severity rating with a CVSS v3.1 base score of 8.1, indicating significant risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for attempts to exploit the path traversal issue in the /api/v1/convert/markdown/pdf endpoint of Stirling-PDF versions prior to 2.5.2.'}, {'type': 'paragraph', 'content': 'Specifically, detection can focus on identifying authenticated requests that upload ZIP files containing entries with directory traversal sequences such as "../../" which attempt to write files outside the intended temporary directory.'}, {'type': 'paragraph', 'content': 'Additionally, server logs may show 500 errors with FileAlreadyExistsException messages indicating attempted overwrites of existing files due to path traversal.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Inspect web server or application logs for POST requests to /api/v1/convert/markdown/pdf containing suspicious ZIP file uploads.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to search logs for directory traversal patterns, e.g., `grep -r "\\.\\./" /path/to/stirlingpdf/logs`.'}, {'type': 'list_item', 'content': 'Monitor for 500 Internal Server Errors related to FileAlreadyExistsException in application logs.'}, {'type': 'list_item', 'content': 'If possible, capture and analyze network traffic to detect ZIP file uploads with malicious entry names containing traversal sequences.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Stirling-PDF to version 2.5.2 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the /api/v1/convert/markdown/pdf endpoint to trusted authenticated users only, and monitor for suspicious activity as described.
Additionally, review and tighten file system permissions for the Stirling-PDF process user (stirlingpdfuser) to limit writable directories and reduce the impact of potential exploitation.
Consider implementing network-level controls such as firewalls or API gateways to restrict access and detect anomalous requests.